Last September, British Airways reported a data breach involving details of 380,000 financial transactions. Two months later, a cyberattack on the Marriott Hotel group compromised the guest reservation database of over 500 million people. The database included payment details, passport numbers, names of guests, phone numbers and email addresses.
These are simply cases in point. The travel industry was the second-most attacked industry last year, accounting for 13% of reported attacks—up from the 10th position in 2017, according to the IBM X-Force Threat Intelligence Index 2018 published this May.
“People carry a gold mine of data when travelling, including passports, payment information and detailed travel itineraries. When placed in the hands of a cybercriminal, all of this information can be patched together into a complete picture of the traveller’s life to inform identity theft, initiate spear phishing attacks, or be sold on the Dark Web," cautions Caleb Barlow, vice-president of X-Force Threat Intelligence at IBM Security in an official blog post.
But why are people more vulnerable when travelling? For one, it is easier to get distracted while travelling. Two, people often opt for convenience over security and end up doing things they won’t do when they are at home. For instance, when at home they may have firewalls on their Wi-Fi networks to protect their devices, but when travelling they will readily connect to an open (public) Wi-Fi network at a hotel or airport. Wi-Fi networks without passwords are easy target for hackers. Even in case of password-protected Wi-Fi networks, hackers can set up a fake Wi-Fi network with an SSID (service set identifier) name that almost looks similar to the original and wait for users to login by mistake, thinking it was the original (called Spoofing).
Three, even charging a device using a USB station at airports can be risky and can give hackers access to users’ email, photos and other data on the device. Known as Juice Jacking, this sort of attack is carried out through a USB port at a charging station.
Hackers can tamper the USB ports so they can remotely use it to transfer personal data from their phone or to upload a malicious file on them.
According to Norton security, a newer version of juice jacking is Video Jacking. In this case, hacker outfits connect a charging station with an HDMI splitter and recorder. When users connect the device to the USB charging station, the hacker can view and record whatever they are doing on the smartphone.
Four, randomly publishing photos on social media can also pin point a user’s exact location and alert hackers. Most social networking sites such as Facebook, Twitter and Snapchat, geotag (showing locations) photos when they are uploaded.
Also Read | Social media fraud increased 43% in 2018: Report
According to Deloitte Global’s 8th annual Millennial Survey, published this May, 90% of millennials and 87% of Gen Z expressed concerns about the security of the personal data that businesses have on them. “I think there is a growing awareness among the community of consumers with respect to data, they might not be fully aware what it means, but there is an anxiety to understand how the data is being taken care of," says Manish Sehgal, partner, Deloitte India.
With growing internet penetration, plenty of new travel-related social media and online booking platforms have surfaced. How these travelling platforms are handling user data is also a cause for concern for many. Also, with the hotel and travel industry investing in digital transformation, almost every data-related activity is now carried on an intranet or internet.
Sticking to one single platform is not the solution. Sehgal points out that in a cyberworld, where there is a new vulnerability every day, no platform can ever be foolproof.
“What the companies in the travel industry can do is to make sure that they are taking good care of the data keeping the baseline security hygiene and data privacy requirements," he explained.
Further, Sehgal rues that travel, tourism and hospitality have not been significantly regulated compared with industries such as telecom, banking, financial services and insurance and life sciences.
There are international consortia and fora that promote data privacy, but none had regulatory powers. However, post the EU general data protection regulation (GDPR), the travel industry’s approach to data privacy has changed and securing user data has now become a priority for many. Of course, that does not absolve users of their responsibility to secure their devices.